Intergalactic expert
Instead of one violation with a fine of 10,000 rubles (for legal entities under Article 13.11 ), after July 1 there will be seven, and the total fine can be up to 295,000 rubles.
Personal data is
There is no precise definition or list of personal data in latest phone number database the law: it includes any information that relates to a specific or determinable on the basis of such information individual (subject of personal data). This absolutely clearly means:
Name, surname, patronymic (and separately)
Information about the main identity document
Date and place of birth
Address
Telephone
Photo
Link to personal website and social media profile
Family, social and property status
Education, profession, etc.
How does this apply to websites?
In addition to the full name, phone number and e-mail, which the user often leaves in feedback forms, personal data also began to include data about the user's behavior on the site, cookies, information about his geolocation and IP address. This is proven by judicial practice: in 2016, in a case with the recruiting service LinkedIn, a decision was made to block this service due to the use of cookies, information about the user's behavior on the page and information about location.
So, from July 1, in the absence of an agreement on the processing of personal data in any feedback form that the user fills out, the company exposes itself to a fine of 50,000 rubles. If the site does not have a privacy policy, it will be subject to a fine of 30,000 rubles.
How Website Owners Can Avoid Fines: An Action Plan
In all data entry forms (registration, application, subscription, etc.), place the following inscription: “By clicking the button, you consent to the processing of your personal data.” It must contain a link to a document (or website page) — Consent to the processing of personal data. Instead of consent, you can use a single public offer, but it must specify for what purposes, what data is processed (everything, according to Part 4 of Article 9 of Federal Law 152 ). And it is also necessary to indicate in the document an email address where the website user can contact in order to revoke their consent and delete personal data.
The company owner must approve the Personal Data Processing Policy by order and post it on the website. The simplest implementation is to add a link to the relevant document or page in the website footer.
All new users of the site are warned that the site collects user metadata (cookies, IP address and location data). If the user does not want this data to be processed, he/she must leave the site.
Find out where the website database is stored. Federal Law No. 242-FZ requires collecting, systematizing, accumulating, storing, clarifying (updating, changing), extracting personal data of Russian citizens by using databases on the territory of the Russian Federation. That is, the law prohibits collecting and storing this data abroad. You can find out where the website database is located from your hosting provider.
Submit a notification of personal data processing to Roskomnadzor. Having access to personal data (including having a website), the company is a personal data operator. It is not necessary to confirm the operator status in Roskomnadzor, but it is necessary to notify it about this so that the organization can be included in the register of personal data operators. This can be done by clicking on the link .